WDK开发遇到个问题

MechanicsMingYan 2014-07-12 01:47:27

错误 3 error LNK2001: 无法解析的外部符号 "struct _ServiceDescriptorTable * KeServiceDescriptorTable" (?KeServiceDescriptorTable@@3PAU_ServiceDescriptorTable@@A) E:\U盘备份.2012.10.06.09.08\可移动磁盘\软件与源码\WDK\sys_ceshi_1\sys_ceshi_1\sys_ceshi_1.obj

上代码:



#include "stdafx.h"

#include <ntddk.h>

#include "sys_ceshi_1.h"

void sys_();

void sys_ceshi_1Unload(IN PDRIVER_OBJECT DriverObject);

NTSTATUS sys_ceshi_1CreateClose(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);

NTSTATUS sys_ceshi_1DefaultHandler(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);

typedef struct _ServiceDescriptorTable {

	PVOID ServiceTableBase; //System Service Dispatch Table 的基地址  

	PVOID ServiceCounterTable;

	//包含着 SSDT 中每个服务被调用次数的计数器。这个计数器一般由sysenter 更新。 

	unsigned int NumberOfServices;//由 ServiceTableBase 描述的服务的数目。  

	PVOID ParamTableBase; //包含每个系统服务参数字节数表的基地址-系统服务参数表 

}*PServiceDescriptorTable;  

extern PServiceDescriptorTable KeServiceDescriptorTable;

#ifdef __cplusplus

extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING  RegistryPath);

#endif



NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING  RegistryPath)

{

	UNICODE_STRING DeviceName,Win32Device;

	PDEVICE_OBJECT DeviceObject = NULL;

	NTSTATUS status;

	unsigned i;

	__asm int 3;

	RtlInitUnicodeString(&DeviceName,L"\\Device\\sys_ceshi_10");

	RtlInitUnicodeString(&Win32Device,L"\\DosDevices\\sys_ceshi_10");

	DbgPrint("驱动已加载");

	sys_();

	for (i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++)

		DriverObject->MajorFunction[i] = sys_ceshi_1DefaultHandler;



	DriverObject->MajorFunction[IRP_MJ_CREATE] = sys_ceshi_1CreateClose;

	DriverObject->MajorFunction[IRP_MJ_CLOSE] = sys_ceshi_1CreateClose;

	

	DriverObject->DriverUnload = sys_ceshi_1Unload;

	status = IoCreateDevice(DriverObject,

							0,

							&DeviceName,

							FILE_DEVICE_UNKNOWN,

							0,

							FALSE,

							&DeviceObject);

	if (!NT_SUCCESS(status))

	{

		if (status==STATUS_INSUFFICIENT_NVRAM_RESOURCES)

		{

			DbgPrint("资源不足 STATUS_INSUFFICIENT_NVRAM_RESOURCES");

		}

		if (status==STATUS_OBJECT_NAME_EXISTS)

		{

			DbgPrint("指定对象名已存在 STATUS_OBJECT_NAME_EXISTS");

		}

		if (status==STATUS_OBJECT_NAME_COLLISION)

		{

			DbgPrint("对象名冲突 STATUS_OBJECT_NAME_COLLISION");

		}

		DbgPrint("设备创建失败！ NT_SUCCESS");

	}

	if (!NT_SUCCESS(status))

		return status;

	if (!DeviceObject)

		return STATUS_UNEXPECTED_IO_ERROR;



	DeviceObject->Flags |= DO_DIRECT_IO;

	DeviceObject->AlignmentRequirement = FILE_WORD_ALIGNMENT;

	status = IoCreateSymbolicLink(&Win32Device, &DeviceName);



	DeviceObject->Flags &= ~DO_DEVICE_INITIALIZING;



	return STATUS_SUCCESS;

}



void sys_ceshi_1Unload(IN PDRIVER_OBJECT DriverObject)

{

	DbgPrint("驱动已卸载");

	UNICODE_STRING Win32Device;

	RtlInitUnicodeString(&Win32Device,L"\\DosDevices\\sys_ceshi_10");

	IoDeleteSymbolicLink(&Win32Device);

	IoDeleteDevice(DriverObject->DeviceObject);

}



NTSTATUS sys_ceshi_1CreateClose(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)

{

	Irp->IoStatus.Status = STATUS_SUCCESS;

	Irp->IoStatus.Information = 0;

	IoCompleteRequest(Irp, IO_NO_INCREMENT);

	return STATUS_SUCCESS;

}



NTSTATUS sys_ceshi_1DefaultHandler(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)

{

	Irp->IoStatus.Status = STATUS_NOT_SUPPORTED;

	Irp->IoStatus.Information = 0;

	IoCompleteRequest(Irp, IO_NO_INCREMENT);

	return Irp->IoStatus.Status;

}

//extern PSSDT KeServiceDescriptorTable;

void sys_()

{

	//UNICODE_STRING string;

	//RtlInitUnicodeString(&string,L"KeServiceDescriptorTable");

	//KeServiceDescriptorTable=(long)MmGetSystemRoutineAddress(&string);

	//if (KeServiceDescriptorTable<1)

	//{

	//	KdPrint(("获取系统导出符号：KeServiceDescriptorTable 失败！",KeServiceDescriptorTable));

	//	return ;

	//}

	int SSDT_NtOpenProcess_Cur_Addr=0x0;

	__asm

	{    int 3

		push ebx

		push eax

		mov ebx,KeServiceDescriptorTable

		mov ebx,[ebx] //表的基地址

	mov eax,0x7a

		shl eax,2//0x7A*4 //imul eax,eax,4//shl eax,2

		add ebx,eax//[KeServiceDescriptorTable]+0x7A*4

		mov ebx,[ebx]

	mov SSDT_NtOpenProcess_Cur_Addr,ebx

		pop  eax	

		pop  ebx

	}

	KdPrint(("SSDT_NtOpenProcess_Cur_Addr=%x\n\n",SSDT_NtOpenProcess_Cur_Addr));





/*

	ULONG SSDT_NtPenProcess_Cur_Addr;

	__asm

	{

		push ebx

		push eax

			mov ebx,KeServiceDescriptorTable

			mov ebx,[ebx]

			mov eax,0x7a

			imul eax,eax,4//0x7a*4

			add ebx,eax

			mov ebx,[ebx]

			mov SSDT_NtPenProcess_Cur_Addr,ebx



		pop eax

		pop ebx



	}*/



	//KdPrint(("SSDT_NtPenProcess_Cur_Addr=0x\n\n",SSDT_NtPenProcess_Cur_Addr));

}

问题就是关于：KeServiceDescriptorTable 导出符号的问题求解答

...全文

399 3 打赏收藏转发到动态举报

写回复

用AI写文章

3 条回复

切换为时间正序

请发表友善的回复…

发表回复

dq000003dq163 2015-05-12

打赏
举报

我也遇到了同样的问题,请问win7 32位的系统,怎么获取呢?

rcpqc 2014-08-24

打赏
举报

你是开发WIn7的驱动吧。你可以看看ntoskrnl.exe的导出表，win7的已经不导出这个KeServiceDescriptorTable了，可能是为了安全。网上很多代码是xp系统，那个时候还导出它。现在你只能通过一些特别的手段获得KeServiceDescriptorTable的地址。比如暴力搜索。下面是黑防上的代码 ULONGLONG GetKeServiceDescriptorTable64() //鬼佬的方法 { char KiSystemServiceStart_pattern[13] = "\x8B\xF8\xC1\xEF\x07\x83\xE7\x20\x25\xFF\x0F\x00\x00"; //睇唔明系么春特征码 ULONGLONG CodeScanStart = (ULONGLONG)&_strnicmp; ULONGLONG CodeScanEnd = (ULONGLONG)&KdDebuggerNotPresent; UNICODE_STRING Symbol; ULONGLONG i, tbl_address, b; for (i = 0; i < CodeScanEnd - CodeScanStart; i++) { if (!memcmp((char*)(ULONGLONG)CodeScanStart +i, (char*)KiSystemServiceStart_pattern,13)) { for (b = 0; b < 50; b++) { tbl_address = ((ULONGLONG)CodeScanStart+i+b); if (*(USHORT*) ((ULONGLONG)tbl_address ) == (USHORT)0x8d4c) return ((LONGLONG)tbl_address +7) + *(LONG*)(tbl_address +3); } } } return 0; }